I am upgrading an existing application to Rails 5.2.
Old application is using Paperclip for file storage and I am trying to move that to ActiveStorage.
My app expose an API that allows users to securely upload files (using key/secret pairs to sign requests).
When I installed ActiveStorage I found several new routes
rails_service_blob GET /rails/active_storage/blobs/:signed_id/*filename(.:format) active_storage/blobs#show
rails_blob_representation GET /rails/active_storage/representations/:signed_blob_id/:variation_key/*filename(.:format) active_storage/representations#show
rails_disk_service GET /rails/active_storage/disk/:encoded_key/*filename(.:format) active_storage/disk#show
update_rails_disk_service PUT /rails/active_storage/disk/:encoded_token(.:format) active_storage/disk#update
rails_direct_uploads POST /rails/active_storage/direct_uploads(.:format) active_storage/direct_uploads#create
How I can disable those routes to not allow random uploads to my app.
Using Active Storage, an application can transform image uploads or generate image representations of non-image uploads like PDFs and videos, and extract metadata from arbitrary files. Various features of Active Storage depend on third-party software which Rails will not install, and must be installed separately:
It comes with a local disk-based service for development and testing and supports mirroring files to subordinate services for backups and migrations. Using Active Storage, an application can transform image uploads or generate image representations of non-image uploads like PDFs and videos, and extract metadata from arbitrary files.
The core features of Active Storage require the following permissions: s3:ListBucket, s3:PutObject, s3:GetObject, and s3:DeleteObject. Public access additionally requires s3:PutObjectAcl. If you have additional upload options configured such as setting ACLs then additional permissions may be required.
Active storage gem is used to attach, remove, serve, and analyze files. Attaching files: Files can be attached as a single file or multiple files. Use macros like ‘ has_one_attached ’ and ‘ has_many_attached ’ accordingly. Below are the sample codes to add attachments. Active storage enables attaching files and data to record on storage services.
To secure remove all ActiveStorage routes without side effects add this to config/application.rb:
class Application < Rails::Application
...
initializer(:remove_activestorage_routes, after: :add_routing_paths) {|app|
app.routes_reloader.paths.delete_if {|path| path =~ /activestorage/}}
...
end
I advise against replacing require 'rails/all'
in config/application.rb with a list of rails gems grabbed from rails source code, which is often recommended.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With